Get Policy
Retrieve the current policy configuration for your organization.
curl -H "X-API-Key: sk_live_your_key_here" \
https://api.turen.dev/api/v1/policy
Response
{
"version": "v1.4.2",
"name": "default",
"updated_at": "2026-02-15T14:00:00Z",
"rules": {
"min_scorecard": 5.0,
"review_scorecard": 8.0,
"max_known_vulnerabilities": 5,
"block_on_critical_vuln": true,
"require_provenance": false,
"allow_provenance_fallback": true,
"review_on_new_package_days": 30,
"allowed_licenses": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
"typosquat_action": "review",
"typosquat_threshold": 0.85
},
"blocked_packages": [],
"blocked_maintainers": []
}
Response Fields
| Field | Type | Description |
|---|
version | string | Policy version identifier |
name | string | Policy name (default: “default”) |
updated_at | string | When the policy was last modified |
rules | object | Policy threshold values |
blocked_packages | array | Explicitly blocked packages |
blocked_maintainers | array | Explicitly blocked maintainers |
Rules Fields
| Field | Type | Description |
|---|
min_scorecard | number | Minimum OpenSSF Scorecard score (0-10). Below this = block. |
review_scorecard | number | Score threshold for manual review (0-10) |
max_known_vulnerabilities | number | Max allowed CVEs per package |
block_on_critical_vuln | boolean | Block packages with critical CVEs |
require_provenance | boolean | Require SLSA provenance |
allow_provenance_fallback | boolean | Allow if provenance can’t be verified |
review_on_new_package_days | number | Flag packages newer than N days |
allowed_licenses | array | List of allowed SPDX license identifiers |
typosquat_action | string | Action for typosquat detection (block or review) |
typosquat_threshold | number | Similarity threshold for typosquat detection (0-1) |
Update Policy
Update policy thresholds for your organization.
curl -X PUT \
-H "X-API-Key: sk_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"rules": {
"min_scorecard": 7.0,
"review_scorecard": 9.0,
"max_known_vulnerabilities": 0
},
"blocked_packages": [],
"blocked_maintainers": []
}' \
https://api.turen.dev/api/v1/policy
Request Body
| Field | Type | Description |
|---|
rules | object | Policy threshold values to update (see Rules Fields above) |
blocked_packages | array | Packages to explicitly block |
blocked_maintainers | array | Maintainers to explicitly block |
Only include the fields you want to change within the rules object. Omitted fields retain their current values.
Response
Returns the updated policy (same schema as Get Policy).
Policy updates are distributed to agents at their next policy sync interval (every 15 minutes by default). No agent restart is required.
